Skip to content

update detections.json output with new rba structure #390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 16, 2025
Merged

update detections.json output with new rba structure #390

merged 6 commits into from
Apr 16, 2025

Conversation

pyth0n1c
Copy link
Contributor

Move risk_score and risk_severity from
tags into higher level Detection_Abstract
object. Make sure risk_severity
is consistent and included only in
json content that requires it.
Updated serialization logic for
detections.json

Note that this PR also supercedes the following PR, which has been closed:
#379

@pyth0n1c
Move risk_score and risk_severity from
9dec906 
tags into higher level Detection_Abstract
object. Make sure risk_severity
is consistent and included only in
json content that requires it.
Updated serialization logic for
detections.json
@pyth0n1c pyth0n1c mentioned this pull request Mar 29, 2025
Closed
@pyth0n1c
Copy link
Contributor Author

I have submitted a draft of the new objects to the relevant team and am waiting on feedback. This PR should remain in DRAFT until we receive that feedback and confirmation that it is correct.

@pyth0n1c pyth0n1c marked this pull request as draft March 29, 2025 22:22
pyth0n1c added 3 commits April 10, 2025 09:41
@pyth0n1c
do not include objects with
8011fee 
null values when serializing
for api output
@pyth0n1c
Revert "do not include objects with"
79fbb2b 
This reverts commit 8011fee.
@pyth0n1c
make sure that when serializing if rba was None, it
ddafd48 
is actually now {}
@pyth0n1c pyth0n1c marked this pull request as ready for review April 16, 2025 14:28
@pyth0n1c
Copy link
Contributor Author

After internal feedback approved of these changes, I have now marked it Ready for Review

@pyth0n1c
Copy link
Contributor Author

I have taken a look by diffing the old JSON files and old Application files side by side. The only notable differences are the expected changes around rba and related objects in the detections.json files.

Some of the fields in some of these JSON files have their orderings change on subsequent runs - this ordering is not meaningful for our purposes (for example a list of MITRE enrichments) but we may consider sorting them in the future since they make diffing much more challenging and time-consuming.

@patel-bhavin
Copy link
Contributor

verified the generation of the output and manually compared with https://securitycontent.scs.splunk.com/detections.json

image

The generation json file has been tested by the SSE team.

@patel-bhavin patel-bhavin merged commit a5b2817 into main Apr 16, 2025
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pyth0n1c @patel-bhavin